Veeam Software has issued patches for a set of severe security vulnerabilities in its core products, flaws that could grant attackers direct control over the backup servers many organizations count on for ransomware recovery. The most serious issue, identified as CVE-2025-23120, carries a near-maximum severity score of 9.9. It allows any user with standard domain credentials to run their own code on a Veeam Backup & Replication server, provided that server is connected to an Active Directory domain—a common, though discouraged, setup.

Another patched flaw, CVE-2025-23114, targets the software's update mechanism. An attacker positioned correctly on a network could hijack the update process to install malicious code with the highest level of permissions on appliance servers. This affects Veeam's tools for platforms like Salesforce, AWS, and Microsoft Azure.

The disclosure follows a troubling pattern. In both 2023 and 2024, critical vulnerabilities in Veeam's software were weaponized by ransomware gangs within weeks, sometimes days, of patches being released. Groups like Akira and BlackBasta have repeatedly used such flaws to sabotage backups before launching their attacks, leaving victims with no option but to pay.

Security researchers warn the clock is already ticking. Veeam has made updates available for its Backup & Replication, Service Provider Console, and Veeam ONE monitoring platforms. For enterprises, the urgent work is twofold: apply the patches immediately and review configurations. Taking backup servers off Active Directory domains, a long-standing Veeam recommendation, would neutralize the primary threat even without the update. In the current climate, a backup system isn't just a defensive tool; it's a high-value target.

Source: Webpronews